[Bug 291001] security/rkhunter rkhunter doesn't handle BSDng ports with (null) checksums
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 291001] security/rkhunter doesn't handle BSDng ports with (null) checksums"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 13 Nov 2025 18:35:19 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291001
Bug ID: 291001
Summary: security/rkhunter rkhunter doesn't handle BSDng ports
with (null) checksums
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: ports-bugs@FreeBSD.org
Reporter: pirzyk@FreeBSD.org
CC: lukasz@wasikowski.net
CC: lukasz@wasikowski.net
Flags: maintainer-feedback?(lukasz@wasikowski.net)
Created attachment 265399
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=265399&action=edit
Proposed patch
The latest version of pkg (2.4.2_1) on FreeBSD 14.3-RELEASE-p5 does not have
any valid checksums. rkhunter runs the following command to extract checksums
from the port and installs them into its own DB.
pkg query '%Fp: %Fs' $PORT | grep ${FNAME}: | sed -r -e 's/^.*:
(1\$)?([A-Fa-f0-9]+)$/\2/'
When running this command against pkg, we get this result (see attachment for
full output of the pkg query command):
/usr/local/sbin/pkg: (null)
But the correctly formatted output should be something like this (used for the
rkhunter pkg itself):
pkg query '%Fp: %Fs' rkhunter | grep /usr/local/bin/rkhunter: | sed -r -e
's/^.*: (1\$)?([A-Fa-f0-9]+)$/\2/'
251d41356add11649268be142b8c831234be1620b7ed97cf78d76f52dec07d2e
The resulting error causes an off by one error when running rkhunter in check
mode (as usually done through periodic/security):
Running rkhunter...
Warning: Package manager verification has failed:
File: /usr/local/sbin/pkg
The file hash value has changed
Warning: The file properties have changed:
File: /usr/local/sbin/pkg
Current permissions: 0755 Stored permissions: 167465
Current uid: 0 Stored uid: 0755
Current inode: 167465 Stored inode: (null)
Current size: 3870032 Stored size: 0
Current file modification time: 1762391141 (5-Nov-2025 19:05:41)
Stored file modification time : 3870032 (14-Feb-1970 13:00:32)
Note the size is zero (really uid), stored permissions look like the inode,
etc.
Also attached is a proposed patch to ignore the (null) and have rkhunter just
use the /sbin/sha256 (default hash program) to recalculate the value. Since
the main rkhunter script (/usr/local/bin/rkhunter) already gets patched, this
change needs to be included into the existing patch file.
--
You are receiving this mail because:
You are the assignee for the bug.